Node.js Security Release Summary - September 2017

The recent Node.js 8.5.0 release included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

At the time of publishing, the security vulnerability haves been patched in a semver-minor release of the Node.js 8.x release line. The patched version is:

Node.js Security Impact Assessment

The recent Node.js 8.5.0 added a commit that triggered a vulnerability through checks on paths made by some third-party, community-maintained modules. The vulnerability enabled the possibility for an attacker to gain access to paths outside the ones that would be normally expected within the scope of an application.

Affected versions of Node.js

Node.js 8.5.0 is affected. Please upgrade to Node.js 8.6.0.

Node.js 6.x.x LTS is not affected.

Node.js 4.x.x LTS is not affected.

N|Solid Security Update - No Vulnerability

We don't currently support N|Solid on the Node.js 8.x release branch, but will be supporting it once Node.js 8.x becomes LTS at the end of October. Current N|Solid customers are not affected by the vulnerability if they are running a supported LTS version. A patched version of Node.js will be included once we support N|Solid with Node.js 8 LTS, in addition to the other release lines.

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.